The California Consumer Privacy Act (CCPA) is a regulation that went into effect on January 1, 2020. It guarantees consumers certain protections when it comes to how organizations use their personal data. If an organization fails to comply with the law and/or suffers a data breach where consumer data is stolen, the organization is subject to fines, and each individual affected can sue for damages, pending certain circumstances.
What is CPRA
The California Privacy Rights Act (CPRA) was passed in 2020 (see proposition 24) and goes into effect on January 1st, 2023. CPRA is meant to enhance CCPA by establishing a stand-alone privacy regulator. It “…also boosts some of the CCPA’s central privacy protections and expands the types of liability businesses may face for privacy or information security violations,” (citation).
A Closer Look at New Changes in the CPRA
The new additions from CCPA to CPRA are significant. Here are key changes in the CPRA that you should be aware of:
Who MUST Comply? B2C and B2B Businesses
One of the major changes in CPRA is that it has changed the “business” definition. CCPA had the unintended consequence of affecting very small businesses and CPRA tries to correct that by focusing on larger businesses.
Also, CCPA did have an exemption forB2B organizations to comply and that exemption was extended in CPRA. This extension is set to expire in 2023.
As of the writing of this post, there are two bills proposed to extend the exemptions for CPRA. However, it is recommended that all businesses that fall under the guidelines below follow the full scope of CPRA as there will likely be challenged by privacy advocates (citation).
We highly recommend that all businesses with a concern should speak to a privacy attorney for guidance.
According to the new CPRA definition, any business that meets one or more guidelines will have to face enforcement:
A business with gross annual revenue of over $25 million per year.
A business that derives 50% or more of its annual revenue from sharing or selling California consumers’ personal information.
A business that annually buys, shares, or sells personal information to over 100,000 consumers.
Creation of the California Privacy Protection Agency (CPPA)
CRPA makes the California Privacy Protection Agency (The “Agency” or CPPA) the chief supervisor and enforcer of data privacy rules. The CPPA is governed by a five-member Board and will coordinate with the California Attorney General to enforce civil penalties and turn collaborative efforts into tactical actions.
Separation of Sensitive and Personal Information (PI)
Under CPRA, there is a new category for sensitive personal information (SPI). SPI will have a more independent and robust regulation than regular personal information.
Under CPRA, the idea is to use SPI categorization that tracks with the General Data Protection Regulations (GDPR) of the European Union and includes certain information elements as sensitive. For starters, CPRA includes the data of a consumer’s email, text messages, and mail.
New Additions and Updates
Before CPRA, there was no mandate for businesses to wait around twelve months before getting the consent of the minor consumer to share or sell their PI. Furthermore, consumers have the right whether or not they want to share a specific piece of information for cross-context advertising.
CPRA gives residents of California four new rights on top of five updated rights.
Modified changes in CPRA consumer rights include:
Right to Delete personal information
Right to get out of third-party sharing and sales of data
Right to portability of data
Dedicated minor rights
New privacy rights for consumers that are not part of the CCPA include:
Right to modify or correct information
Right to access data that requires businesses to make automated decisions
Right to minimize the use case and disclosure of personal information
Right to get out of automated technology to make decisions.
CPRA allows consumers to get out using automated tech tools that lead to profiling and can impact work performance, health, economic situation, interests, behavior, and personal preference of consumers.
Executive Summary & Key Components of CPRA
An executive summary of CPRA from the Californians for Consumer Privacy website is as follows (citation):
Access & Deletion rights: consumers can obtain and delete their own personal information.
Prevent the sale of data: consumers can prevent the sale of their information.
Protect children: guardian or teen permission is required prior to the sale of children’s info.
Purpose limitation: only use a consumer’s info for a stated purpose.
Storage limitation: keep a consumer’s info only as long as the business has stated it publicly.
Data Minimization: don’t collect more consumer info than necessary.
Chain of custody: onward transferees must offer the same level of protection.
Requirement for reasonable & appropriate security to protect personal info.
Deletion expansion: businesses must be able to tell businesses they’ve sold personal info to, or shared it with, to delete info when a deletion request is received.
Right of Correction: let consumers correct personal information with businesses.
Triples fines for violations involving children’s information.
Sensitive Personal Info: right to stop its use (includes race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications).
Right to see ‘all’ personal info, not just the last 12 months.
Precise geolocation: no tracking within ~250 acres.
Profiling: the right to object to automated decision-making and learn meaningful information about the logic involved.
Removing 30-day right to cure violation (ends “two strikes you’re out”).
Right to opt-out of cross-context behavioral advertising fixes major CCPA weakness.
Data protection agency with guaranteed funding
2x+ bigger than current enforcement
Removes exclusive enforcement by AG: allows 58 counties and 4 largest city DAs to enforce the law via Business & Professions Code Sec. 17200
Annual cybersecurity audits and risk assessments for high-risk data processors.
Chief Privacy Auditor to audit businesses for compliance w/ CPRA.
Prevents law from being weakened in the Legislature because any amendments must be in furtherance of consumer privacy (which are then allowed by a simple majority of the Legislature).
Fines Under CPRA
CPRA violations start from $2,500 on each unintentional violation to up to $7,500 on a single intentional violation. It is important to remember that these violations include using, sharing, or selling a minor’s data. Enforcement efforts will start from July 1, 2023, which is 6 months after CPRA becomes effective on January 01, 2023.
If for example, you have an unintentional violation involving the personal information of 1,000 customers your fines could be $250,000.00. If the breach involves minors, the fines could be tripled. Not to mention the possibility of class action suits.
Scenarios and Provisions
CPRA brings into effect GDPR-style provisions for CCPA and expands consent requirements with more scenarios.
Accountability for Businesses
CPRA will make businesses accountable for how other parties share, use, and sell consumers’ personal information.
In addition to service providers, businesses, and third parties, CPRA adds contractors into the mix who will need to comply with the new regulations.
Next Steps
Speak with a Privacy Attorney
Speak with an attorney about having CPRA interpreted for your business. Your attorney will help you prepare draft notices, guidelines, template letters, and other materials related to Consumer Notice, Consumer Rights, Nondiscrimination, General Provisions, and more.
How Consilien can help
CPRA Roadmap Assessment. We have an IC24 Assessment package that will help any organization get on the road toward CPRA compliance. It includes a detailed assessment of your security posture in relationship to CPRA, a vulnerability scan and gap analysis of your network and environment, and an executive summary report. The final report will give you a roadmap towards compliance.
Data Mapping. Map your structured and unstructured data. This includes:
Identifying personal information on all systems, devices, applications, and locations where personal information is collected, processed and stored.
Determining where it is disclosed and shared with third parties, including between different divisions.
Creation of data map.
Procedure Development. Once the data has been identified, collected, and mapped we will help you create new policies and procedures to ensure CPRA compliance.
Documentation of Policies, Controls, and Processes. We will help you prepare draft notices, guidelines, template letters, and other materials related to Security Incident Procedures, Vendor Management, Data Security, Training, Data Mapping, and more.
Training. Provide employee training on how to receive and respond to consumer requests, data handling, data security, and security awareness training.
Cybersecurity Posture Improvement. Recommendations and/or implementation of products and services to ensure you comply with industry best practices.
Call us today for more information: 866-680-3388 or ProtectMe@Consilien.com
Krista Hollingsworth, Chief Revenue Officer for Consilien, helps to create a culture of security awareness through an
integrated approach to cybersecurity awareness training. Krista is responsible for creating and nurturing short-term and
long-term strategic marketing, branding, and sales road maps.